I'm announcing the release of the 4.9.323 kernel.
All users of the 4.9 kernel series must upgrade.
The updated 4.9.y git tree can be found at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git linux-4.9.y and can be browsed at the normal kernel.org git web browser: https://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git%3Ba=summa...
thanks,
greg k-h
------------
Makefile | 2 +- drivers/dma/at_xdmac.c | 5 +++++ drivers/dma/ti-dma-crossbar.c | 5 +++++ drivers/i2c/busses/i2c-cadence.c | 1 + drivers/iommu/dmar.c | 2 +- drivers/net/can/grcan.c | 1 - drivers/net/can/usb/gs_usb.c | 23 +++++++++++++++++++++-- drivers/net/usb/usbnet.c | 17 ++++++++++++----- drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c | 10 +++++----- fs/xfs/xfs_inode.c | 1 - include/video/of_display_timing.h | 2 ++ lib/idr.c | 4 +++- mm/slub.c | 5 +++++ net/rose/rose_route.c | 4 ++-- 14 files changed, 63 insertions(+), 19 deletions(-)
Duoming Zhou (1): net: rose: fix UAF bug caused by rose_t0timer_expiry
Eric Sandeen (1): xfs: remove incorrect ASSERT in xfs_rename
Greg Kroah-Hartman (1): Linux 4.9.323
Hsin-Yi Wang (1): video: of_display_timing.h: include errno.h
Jann Horn (1): mm/slub: add missing TID updates on slab deactivation
Liang He (1): can: grcan: grcan_probe(): remove extra of_node_get()
Linus Torvalds (1): ida: don't use BUG_ON() for debugging
Miaoqian Lin (2): dmaengine: ti: Fix refcount leak in ti_dra7_xbar_route_allocate dmaengine: ti: Add missing put_device in ti_dra7_xbar_route_allocate
Michael Walle (1): dmaengine: at_xdma: handle errors of at_xdmac_alloc_desc() correctly
Oliver Neukum (1): usbnet: fix memory leak in error case
Rhett Aultman (1): can: gs_usb: gs_usb_open/close(): fix memory leak
Samuel Holland (1): pinctrl: sunxi: a83t: Fix NAND function name for some pins
Satish Nagireddy (1): i2c: cadence: Unregister the clk notifier in error path
Yian Chen (1): iommu/vt-d: Fix PCI bus rescan device hot add
diff --git a/Makefile b/Makefile index bd4c898a9940..44c3b223062a 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ VERSION = 4 PATCHLEVEL = 9 -SUBLEVEL = 322 +SUBLEVEL = 323 EXTRAVERSION = NAME = Roaring Lionus
diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c index ca266fcca186..f191057065f7 100644 --- a/drivers/dma/at_xdmac.c +++ b/drivers/dma/at_xdmac.c @@ -1806,6 +1806,11 @@ static int at_xdmac_alloc_chan_resources(struct dma_chan *chan) for (i = 0; i < init_nr_desc_per_channel; i++) { desc = at_xdmac_alloc_desc(chan, GFP_ATOMIC); if (!desc) { + if (i == 0) { + dev_warn(chan2dev(chan), + "can't allocate any descriptors\n"); + return -EIO; + } dev_warn(chan2dev(chan), "only %d descriptors have been allocated\n", i); break; diff --git a/drivers/dma/ti-dma-crossbar.c b/drivers/dma/ti-dma-crossbar.c index a7e1f6e17e3d..8ea8d04e1ae0 100644 --- a/drivers/dma/ti-dma-crossbar.c +++ b/drivers/dma/ti-dma-crossbar.c @@ -251,6 +251,7 @@ static void *ti_dra7_xbar_route_allocate(struct of_phandle_args *dma_spec, if (dma_spec->args[0] >= xbar->xbar_requests) { dev_err(&pdev->dev, "Invalid XBAR request number: %d\n", dma_spec->args[0]); + put_device(&pdev->dev); return ERR_PTR(-EINVAL); }
@@ -258,12 +259,14 @@ static void *ti_dra7_xbar_route_allocate(struct of_phandle_args *dma_spec, dma_spec->np = of_parse_phandle(ofdma->of_node, "dma-masters", 0); if (!dma_spec->np) { dev_err(&pdev->dev, "Can't get DMA master\n"); + put_device(&pdev->dev); return ERR_PTR(-EINVAL); }
map = kzalloc(sizeof(*map), GFP_KERNEL); if (!map) { of_node_put(dma_spec->np); + put_device(&pdev->dev); return ERR_PTR(-ENOMEM); }
@@ -274,6 +277,8 @@ static void *ti_dra7_xbar_route_allocate(struct of_phandle_args *dma_spec, mutex_unlock(&xbar->mutex); dev_err(&pdev->dev, "Run out of free DMA requests\n"); kfree(map); + of_node_put(dma_spec->np); + put_device(&pdev->dev); return ERR_PTR(-ENOMEM); } set_bit(map->xbar_out, xbar->dma_inuse); diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c index a29ac9bae6d5..9ab056bb834d 100644 --- a/drivers/i2c/busses/i2c-cadence.c +++ b/drivers/i2c/busses/i2c-cadence.c @@ -992,6 +992,7 @@ static int cdns_i2c_probe(struct platform_device *pdev) return 0;
err_clk_dis: + clk_notifier_unregister(id->clk, &id->clk_rate_change_nb); clk_disable_unprepare(id->clk); pm_runtime_set_suspended(&pdev->dev); pm_runtime_disable(&pdev->dev); diff --git a/drivers/iommu/dmar.c b/drivers/iommu/dmar.c index 9ad5a7019abf..d8b8cf36de31 100644 --- a/drivers/iommu/dmar.c +++ b/drivers/iommu/dmar.c @@ -373,7 +373,7 @@ static int dmar_pci_bus_notifier(struct notifier_block *nb,
static struct notifier_block dmar_pci_bus_nb = { .notifier_call = dmar_pci_bus_notifier, - .priority = INT_MIN, + .priority = 1, };
static struct dmar_drhd_unit * diff --git a/drivers/net/can/grcan.c b/drivers/net/can/grcan.c index c6a176d8681c..4e3432182092 100644 --- a/drivers/net/can/grcan.c +++ b/drivers/net/can/grcan.c @@ -1669,7 +1669,6 @@ static int grcan_probe(struct platform_device *ofdev) */ sysid_parent = of_find_node_by_path("/ambapp0"); if (sysid_parent) { - of_node_get(sysid_parent); err = of_property_read_u32(sysid_parent, "systemid", &sysid); if (!err && ((sysid & GRLIB_VERSION_MASK) >= GRCAN_TXBUG_SAFE_GRLIB_VERSION)) diff --git a/drivers/net/can/usb/gs_usb.c b/drivers/net/can/usb/gs_usb.c index 6771c51f72c3..e3dc59fffdb7 100644 --- a/drivers/net/can/usb/gs_usb.c +++ b/drivers/net/can/usb/gs_usb.c @@ -192,6 +192,8 @@ struct gs_can {
struct usb_anchor tx_submitted; atomic_t active_tx_urbs; + void *rxbuf[GS_MAX_RX_URBS]; + dma_addr_t rxbuf_dma[GS_MAX_RX_URBS]; };
/* usb interface struct */ @@ -601,6 +603,7 @@ static int gs_can_open(struct net_device *netdev) for (i = 0; i < GS_MAX_RX_URBS; i++) { struct urb *urb; u8 *buf; + dma_addr_t buf_dma;
/* alloc rx urb */ urb = usb_alloc_urb(0, GFP_KERNEL); @@ -611,7 +614,7 @@ static int gs_can_open(struct net_device *netdev) buf = usb_alloc_coherent(dev->udev, sizeof(struct gs_host_frame), GFP_KERNEL, - &urb->transfer_dma); + &buf_dma); if (!buf) { netdev_err(netdev, "No memory left for USB buffer\n"); @@ -619,6 +622,8 @@ static int gs_can_open(struct net_device *netdev) return -ENOMEM; }
+ urb->transfer_dma = buf_dma; + /* fill, anchor, and submit rx urb */ usb_fill_bulk_urb(urb, dev->udev, @@ -642,10 +647,17 @@ static int gs_can_open(struct net_device *netdev) rc);
usb_unanchor_urb(urb); + usb_free_coherent(dev->udev, + sizeof(struct gs_host_frame), + buf, + buf_dma); usb_free_urb(urb); break; }
+ dev->rxbuf[i] = buf; + dev->rxbuf_dma[i] = buf_dma; + /* Drop reference, * USB core will take care of freeing it */ @@ -710,13 +722,20 @@ static int gs_can_close(struct net_device *netdev) int rc; struct gs_can *dev = netdev_priv(netdev); struct gs_usb *parent = dev->parent; + unsigned int i;
netif_stop_queue(netdev);
/* Stop polling */ parent->active_channels--; - if (!parent->active_channels) + if (!parent->active_channels) { usb_kill_anchored_urbs(&parent->rx_submitted); + for (i = 0; i < GS_MAX_RX_URBS; i++) + usb_free_coherent(dev->udev, + sizeof(struct gs_host_frame), + dev->rxbuf[i], + dev->rxbuf_dma[i]); + }
/* Stop sending URBs */ usb_kill_anchored_urbs(&dev->tx_submitted); diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c index 4b7a9672d92b..d8253c6ac2b0 100644 --- a/drivers/net/usb/usbnet.c +++ b/drivers/net/usb/usbnet.c @@ -2085,7 +2085,7 @@ static void usbnet_async_cmd_cb(struct urb *urb) int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype, u16 value, u16 index, const void *data, u16 size) { - struct usb_ctrlrequest *req = NULL; + struct usb_ctrlrequest *req; struct urb *urb; int err = -ENOMEM; void *buf = NULL; @@ -2103,7 +2103,7 @@ int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype, if (!buf) { netdev_err(dev->net, "Error allocating buffer" " in %s!\n", __func__); - goto fail_free; + goto fail_free_urb; } }
@@ -2127,14 +2127,21 @@ int usbnet_write_cmd_async(struct usbnet *dev, u8 cmd, u8 reqtype, if (err < 0) { netdev_err(dev->net, "Error submitting the control" " message: status=%d\n", err); - goto fail_free; + goto fail_free_all; } return 0;
+fail_free_all: + kfree(req); fail_free_buf: kfree(buf); -fail_free: - kfree(req); + /* + * avoid a double free + * needed because the flag can be set only + * after filling the URB + */ + urb->transfer_flags = 0; +fail_free_urb: usb_free_urb(urb); fail: return err; diff --git a/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c b/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c index 383977ea3a3c..0b5aba4bf338 100644 --- a/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c +++ b/drivers/pinctrl/sunxi/pinctrl-sun8i-a83t.c @@ -158,26 +158,26 @@ static const struct sunxi_desc_pin sun8i_a83t_pins[] = { SUNXI_PIN(SUNXI_PINCTRL_PIN(C, 14), SUNXI_FUNCTION(0x0, "gpio_in"), SUNXI_FUNCTION(0x1, "gpio_out"), - SUNXI_FUNCTION(0x2, "nand"), /* DQ6 */ + SUNXI_FUNCTION(0x2, "nand0"), /* DQ6 */ SUNXI_FUNCTION(0x3, "mmc2")), /* D6 */ SUNXI_PIN(SUNXI_PINCTRL_PIN(C, 15), SUNXI_FUNCTION(0x0, "gpio_in"), SUNXI_FUNCTION(0x1, "gpio_out"), - SUNXI_FUNCTION(0x2, "nand"), /* DQ7 */ + SUNXI_FUNCTION(0x2, "nand0"), /* DQ7 */ SUNXI_FUNCTION(0x3, "mmc2")), /* D7 */ SUNXI_PIN(SUNXI_PINCTRL_PIN(C, 16), SUNXI_FUNCTION(0x0, "gpio_in"), SUNXI_FUNCTION(0x1, "gpio_out"), - SUNXI_FUNCTION(0x2, "nand"), /* DQS */ + SUNXI_FUNCTION(0x2, "nand0"), /* DQS */ SUNXI_FUNCTION(0x3, "mmc2")), /* RST */ SUNXI_PIN(SUNXI_PINCTRL_PIN(C, 17), SUNXI_FUNCTION(0x0, "gpio_in"), SUNXI_FUNCTION(0x1, "gpio_out"), - SUNXI_FUNCTION(0x2, "nand")), /* CE2 */ + SUNXI_FUNCTION(0x2, "nand0")), /* CE2 */ SUNXI_PIN(SUNXI_PINCTRL_PIN(C, 18), SUNXI_FUNCTION(0x0, "gpio_in"), SUNXI_FUNCTION(0x1, "gpio_out"), - SUNXI_FUNCTION(0x2, "nand")), /* CE3 */ + SUNXI_FUNCTION(0x2, "nand0")), /* CE3 */ /* Hole */ SUNXI_PIN(SUNXI_PINCTRL_PIN(D, 2), SUNXI_FUNCTION(0x0, "gpio_in"), diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c index c5f2f1e3cc4b..48d62da62226 100644 --- a/fs/xfs/xfs_inode.c +++ b/fs/xfs/xfs_inode.c @@ -2973,7 +2973,6 @@ xfs_rename( * appropriately. */ if (flags & RENAME_WHITEOUT) { - ASSERT(!(flags & (RENAME_NOREPLACE | RENAME_EXCHANGE))); error = xfs_rename_alloc_whiteout(target_dp, &wip); if (error) return error; diff --git a/include/video/of_display_timing.h b/include/video/of_display_timing.h index ea755b5616d8..cb3f3b2e7ccf 100644 --- a/include/video/of_display_timing.h +++ b/include/video/of_display_timing.h @@ -9,6 +9,8 @@ #ifndef __LINUX_OF_DISPLAY_TIMING_H #define __LINUX_OF_DISPLAY_TIMING_H
+#include <linux/errno.h> + struct device_node; struct display_timing; struct display_timings; diff --git a/lib/idr.c b/lib/idr.c index 6098336df267..c657e35433e6 100644 --- a/lib/idr.c +++ b/lib/idr.c @@ -1124,7 +1124,9 @@ void ida_simple_remove(struct ida *ida, unsigned int id) { unsigned long flags;
- BUG_ON((int)id < 0); + if ((int)id < 0) + return; + spin_lock_irqsave(&simple_ida_lock, flags); ida_remove(ida, id); spin_unlock_irqrestore(&simple_ida_lock, flags); diff --git a/mm/slub.c b/mm/slub.c index 0b13135fd571..c07c5fa6adcd 100644 --- a/mm/slub.c +++ b/mm/slub.c @@ -2556,6 +2556,7 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node, deactivate_slab(s, page, c->freelist); c->page = NULL; c->freelist = NULL; + c->tid = next_tid(c->tid); goto new_slab; } } @@ -2569,6 +2570,7 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node, deactivate_slab(s, page, c->freelist); c->page = NULL; c->freelist = NULL; + c->tid = next_tid(c->tid); goto new_slab; }
@@ -2581,6 +2583,7 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node,
if (!freelist) { c->page = NULL; + c->tid = next_tid(c->tid); stat(s, DEACTIVATE_BYPASS); goto new_slab; } @@ -2605,6 +2608,7 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node, c->partial = page->next; stat(s, CPU_PARTIAL_ALLOC); c->freelist = NULL; + c->tid = next_tid(c->tid); goto redo; }
@@ -2627,6 +2631,7 @@ static void *___slab_alloc(struct kmem_cache *s, gfp_t gfpflags, int node, deactivate_slab(s, page, get_freepointer(s, freelist)); c->page = NULL; c->freelist = NULL; + c->tid = next_tid(c->tid); return freelist; }
diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c index 9f704a7f2a28..34e7e2ab78fe 100644 --- a/net/rose/rose_route.c +++ b/net/rose/rose_route.c @@ -230,8 +230,8 @@ static void rose_remove_neigh(struct rose_neigh *rose_neigh) { struct rose_neigh *s;
- rose_stop_ftimer(rose_neigh); - rose_stop_t0timer(rose_neigh); + del_timer_sync(&rose_neigh->ftimer); + del_timer_sync(&rose_neigh->t0timer);
skb_queue_purge(&rose_neigh->queue);
linux-stable-mirror@lists.linaro.org